I take this as a request to change the default behavior. At Sat, 11 Feb 2012 00:27:54 +0100, Christoph Anton Mitterer wrote: > > Package: pbuilder > Version: 0.206 > Severity: important > > > Hi. > > Marking this as important, as it might be secrutiy relevant: > > > Installing potentially unverified packages is basically like posting your > root password on the internet and removing the last character. > > > Reading through pbuilderrc(5) I found these: > > 1) > PBUILDERSATISFYDEPENDSOPT=('--check-key') > > Array of flags to give to pbuilder-satisfydepends. Specifying > > --check-key here will try to verify key signatures. > What does try mean here? Can't this be changed to just fail if verification > doesn't work? > > > 2) > APTGETOPT=('--force-yes') > > Extra flags to give to apt-get. Default is --force-yes, which > > will skip key verification of packages to be installed. Unset if > > you want to enable key verification. > > If this disables key verification it should be disabled per default. > > > Cheers, > Chris. > > btw: Some time ago, I've already reported a bug about the insecure usage > of debootstrap. > You've then added the --keyring option as default. > It seems that debbootstrap changed to do this per default itself (have a > look). > So when you depend on the recent enough version, you could drop this again. > > > > _______________________________________________ > Pbuilder-maint mailing list > pbuilder-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pbuilder-maint >
-- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org